Important Notes

Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability—Multiple vulnerabilities have been fixed for clientless SSL VPN in ASA software, so you should upgrade your software to a fixed version. See http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa for details about the vulnerability and a list of fixed ASA versions. Also, if you ever ran an earlier ASA version that had a vulnerable configuration, then regardless of the version you are currently running, you should verify that the portal customization was not compromised. If an attacker compromised a customization object in the past, then the compromised object stays persistent after you upgrade the ASA to a fixed version. Upgrading the ASA prevents this vulnerability from being exploited further, but it will not modify any customization objects that were already compromised and are still present on the system.

The Advanced Inspection and Prevention Security Services Card (AIP SSC) can take up to 20 minutes to initialize the first time it boots after a new image is applied. This initialization process must complete before configuration changes can be made to the sensor. Attempts to modify and save configuration changes before the initialization completes will result in an error.

See the “Upgrading the Software” section for downgrade issues after you upgrade the Phone Proxy and MTA instance, or if you upgrade the activation key with new 8.2 features.

When using Clientless SSL VPN Post-SSO parameters for the Citrix Web interface bookmark, Single Sign On (SSO) works, but the Citrix portal is missing the Reconnect and Disconnect buttons. Only the Log Off button appears. When not using SSO over Clientless, all three buttons show up correctly.

On the ASA 5510, Version 8.2 uses more base memory than previous releases. This might cause problems for some ASA 5510 users who are currently running low on free memory (as indicated in the show memory command output). If your current show memory command output displays less than 20% free, we recommend upgrading the memory on the ASA 5510 from 256 MB to 1 GB before proceeding with the Version 8.2 upgrade. See the “Memory Requirements” section.

On the ASA 5580, Version 8.2 shows increased CPU usage under stressed conditions than Version 8.1.

Connection Profile/Tunnel Group terminology in CLI vs. ASDM—The ASA tunnel groups define the initial connection parameters and attributes (such as AAA, client address assignment, and connection alias/group-url) for a remote access VPN session. In the CLI, they are referred to as tunnel groups, whereas in ASDM they are referred to as Connection Profiles. A VPN policy is an aggregation of Connection Profile, Group Policy, and Dynamic Access Policy authorization attributes.

Cosmetic startup message issue on the ASA 5585-X—Cisco manufacturing recently discovered a process error that resulted in loading a test build of BIOS firmware on many early shipments of the ASA 5585-X. On the affected units, more text than usual displays on the console during startup before reaching the “rommon>” prompt. Included in the extra output is the following message banner:

CISCO SYSTEMS Spyker Build, TEST build not for Customer Release

Embedded BIOS Version 2.0(7)2 19:59:57 01/04/11

While you may see this additional text, there is no functional impact to the ASA operation; you can ignore the additional text. The test build provides additional information that can be used by engineers to pinpoint hardware problems during the manufacturing process. Unfortunately, there is no field-upgradeable resolution to eliminate this message that does not require replacing the hardware.

Hardware with a serial number that falls within the following ranges could be impacted by this cosmetic issue. Note that not all serial numbers within these ranges are impacted.

– JMX1449xxxx – JMX1520xxxx

– JAF1450xxxx – JAF1516xxxx (for ASA-SSP-20-K8= only)

Hardware with the following Product IDs for the above serial numbers could be impacted by this cosmetic issue:

– ASA5585-S20-K8

– ASA5585-S20-K9

– ASA5585-S20P20-K8

– ASA5585-S20P20-K9

– ASA5585-S20P20XK9

– ASA5585-S20X-K9

– ASA-SSP-20-K8=

Only 4 GB of memory is available in ASA 8.2(5) for the ASA 5580 and 5585-X platforms.

All available memory in multi-core platforms (ASA 5580 and 5585-X) in ASA 8.2(5) are also available in ASA 8.4(1). To take advantage of the enhanced capability, you should upgrade your devices to the ASA 8.4.4(1) release.

Limitations and Restrictions

The SSL SHA-2 digital signature capability for authentication of AnyConnect SSL VPN sessions (Versions 2.5.1 and above) is not currently supported on ASA Version 8.2.4, yet it is supported in all 8.2.4.x interim releases. The feature was introduced in ASA interim Version 8.2.3.9.

Stateful Failover with Phone Proxy—When using Stateful Failover with phone proxy, information is not passed to the standby unit; when the active unit goes down, the call fails, media stops flowing, and the call must be re-established.

The ASA cannot fully support domain-based DFS. To support this, the ASA would need to join the Active Directory and query the Active Directory server for DFS referral. Instead the ASA sends the DFS referral to the DNS servers configured for the users. Since the AD server is the DNS server in most cases, the majority of customer configurations are covered.

(ASA 5510, ASA 5520, ASA 5540, and ASA 5550 only) We strongly recommend that you enable hardware processing using the crypto engine large-mod-accel command instead of software for large modulus operations such as 2048-bit certificates and DH5 keys. If you continue to use software processing for large keys, you could experience significant performance degradation due to slow session establishment for IPsec and SSL VPN connections. We recommend that you initially enable hardware processing during a low-use or maintenance period to minimize a temporary packet loss that can occur during the transition of processing from software to hardware.

Note For the ASA 5540 and ASA 5550 using SSL VPN, in specific load conditions, you may want to continue to use software processing for large keys. If VPN sessions are added very slowly and the ASA runs at capacity, then the negative impact to data throughput is larger than the positive impact for session establishment.

The ASA 5580/5585-X platforms already integrate this capability; therefore, crypto engine commands are not applicable on these platforms.

Only users with a privilege level of 15 may copy files to the ASA using the the secure copy protocol (SCP).

Upgrading the Software

To upgrade to 8.2, see the “Managing Software and Configurations” chapter in Cisco ASA 5500 Series Configuration Guide using the CLI. Be sure to back up your configuration before upgrading.

Use the show version command to verify the software version of your adaptive security appliance. Alternatively, the software version appears on the ASDM home page.

Downloading Software from Cisco.com

Upgrading Between Major Releases

To ensure that your configuration updates correctly, you must upgrade to each major release in turn. Therefore, to upgrade from Version 7.0 to Version 8.2, first upgrade from 7.0 to 7.1, then from 7.1 to 7.2, and finally from Version 7.2 to Version 8.2 (8.1 was only available on the ASA 5580).

Upgrading the Phone Proxy and MTA Instance

In Version 8.0(4), you configured a global media-termination address (MTA) on the ASA. In Version 8.2, you can now configure MTAs for individual interfaces (with a minimum of two MTAs). As a result of this enhancement, the old CLI has been deprecated. You can continue to use the old configuration if desired. However, if you need to change the configuration at all, only the new configuration method is accepted; you cannot later restore the old configuration.

Note If you need to maintain downgrade compatibility, you should keep the old configuration as is.

To upgrade the Phone Proxy, perform the following steps:

Step 1Create the MTA instance to apply to the phone proxy instance for this release. See “Creating the Media Termination Instance” section in the Cisco ASA 5500 Series Configuration Guide using the CLI.

Step 2 To modify the existing Phone Proxy, enter the following command:

hostname(config)# phone-proxyphone_proxy_name

Where phone_proxy_name is the name of the existing Phone Proxy.

Step 3 To remove the configured MTA on the phone proxy, enter the following command:

hostname(config)# no media-termination addressip_address

Step 4 Apply the new MTA instance to the phone proxy by entering the following command:

hostname(config)# media-terminationinstance_name

Where instance_name is the name of the MTA that you created in Step 1.

Activation Key Compatibility When Upgrading

Your activation key remains compatible if you upgrade to Version 8.2 or later, and also if you later downgrade. After you upgrade, if you activate additional feature licenses that were introduced before 8.2, then the activation key continues to be compatible with earlier versions if you downgrade. However if you activate feature licenses that were introduced in 8.2 or later, then the activation key is not backwards compatible. If you have an incompatible license key, then see the following guidelines:

If you previously entered an activation key in an earlier version, then the adaptive security appliance uses that key (without any of the new licenses you activated in Version 8.2 or later).

If you have a new system and do not have an earlier activation key, then you need to request a new activation key compatible with the earlier version.

System Requirements

The sections that follow list the system requirements for operating an adaptive security appliance. This section includes the following topics:

1.For the ASA 5510—Version 8.2 uses more base memory than previous releases, which might cause problems for some ASA 5510 users who are currently running low on free memory (as indicated in the show memory output). If your current show memory output displays less than 20% free, we recommend upgrading the memory on the ASA 5510 from 256 MB to 1 GB before proceeding with the release 8.2 upgrade.

Note If your ASA has only 64 MB of internal CompactFlash (which shipped standard in the past), you should not store multiple system images, or multiple images of the new AnyConnect VPN client components, client/server plugins, or Cisco Secure Desktop.

DRAM, Flash Memory, and Failover

In a failover configuration, the two units must have the same hardware configuration, must be the same model, must have the same number and types of interfaces, must have the same feature licenses, and must have the same amount of DRAM. You do not have to have the same amount of flash memory. For more information, see the failover chapters in Cisco ASA 5500 Series Configuration Guide using the CLI.

Note If you use two units with different flash memory sizes, make sure that the unit with the smaller flash memory has enough space for the software images and configuration files.

New Features in Version 8.2(5.13)

Note We recommend that you upgrade to a Cisco.com-posted ASA interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will usually remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available.

We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each ASA interim release, see the interim release notes available on the Cisco.com software download site.

To improve throughput, Cisco now supports compression for DTLS and TLS on AnyConnect 3.0 or later. Each tunneling method configures compression separately, and the preferred configuration is to have both SSL and DTLS compression as LZS. This feature enhances migration from legacy VPN clients.

Note Using data compression on high speed remote access connections passing highly compressible data requires significant processing power on the ASA. With other activity and traffic on the ASA, the number of sessions that can be supported on the platform is reduced.

The ASA now supports the ifAlias OID. When you browse the IF-MIB, the ifAlias OID will be set to the value that has been set for the interface description.

Also available in Version 8.4(2).

Remote Access Features

Portal Access Rules

This enhancement allows customers to configure a global clientless SSL VPN access policy to permit or deny clientless SSL VPN sessions based on the data present in the HTTP header. If denied, an error code is returned to the clients. This denial is performed before user authentication and thus minimizes the use of processing resources.

You can now configure the ASA to permit or deny VPN connections to mobile devices, enable or disable mobile device access on a per-group basis, and gather information about connected mobile devices based on the mobile device posture data. The following mobile platforms support this capability: AnyConnect for iPhone/iPad/iPod Versions 2.5.x and AnyConnect for Android Version 2.4.x. You do not need to enable CSD to configure these attributes in ASDM.

Licensing Requirements

Enforcing remote access controls and gathering posture data from mobile devices requires an AnyConnect Mobile license and either an AnyConnect Essentials or AnyConnect Premium license to be installed on the ASA. You receive the following functionality based on the license you install:

AnyConnect Premium License Functionality

Enterprises that install the AnyConnect Premium license will be able to enforce DAP policies, on supported mobile devices, based on these DAP attributes and any other existing endpoint attributes. This includes allowing or denying remote access from a mobile device.

AnyConnect Essentials License Functionality

Enterprises that install the AnyConnect Essentials license will be able to do the following:

– Enable or disable mobile device access on a per-group basis and to configure that feature using ASDM.

– Display information about connected mobile devices via CLI or ASDM without having the ability to enforce DAP policies or deny or allow remote access to those mobile devices.

Also available in Version 8.4(2).

Split Tunnel DNS policy for AnyConnect

This release includes a new policy pushed down to the AnyConnect Secure Mobility Client for resolving DNS addresses over split tunnels. This policy applies to VPN connections using the SSL or IPsec/IKEv2 protocol and instructs the AnyConnect client to resolve all DNS addresses through the VPN tunnel. If DNS resolution fails, the address remains unresolved and the AnyConnect client does not try to resolve the address through public DNS servers.

By default, this feature is disabled. The client sends DNS queries over the tunnel according to the split tunnel policy—tunnel all networks, tunnel networks specified in a network list, or exclude networks specified in a network list.

We introduced the following command: split-tunnel-all-dns.

Also available in Version 8.4(2).

SSL SHA-2 digital signature

You can now use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5(1) or later (2.5(2) or later recommended). This release does not support SHA-2 for other uses or products.

Caution: To support failover of SHA-2 connections, the standby ASA must be running the same image.

We modified the following command: show crypto ca certificate (the Signature Algorithm field identifies the digest algorithm used when generating the signature).

Also available in Version 8.4(2).

L2TP/IPsec support for Android

We now support VPN connections between Android mobile devices and ASA 5500 series devices, when using the L2TP/IPsec protocol and the native Android VPN client. Mobile devices must be using the Android 2.1 or later operating system.

This feature changes the preference of a connection profile during the connection profile selection process. By default, if the ASA matches a certificate field value specified in a connection profile to the field value of the certificate used by the endpoint, the ASA assigns that profile to the VPN connection. This optional feature changes the preference to a connection profile that specifies the group URL requested by the endpoint. The new option lets administrators rely on the group URL preference used by many older ASA software releases.

We introduced the following command: tunnel-group-preference.

Also available in Version 8.4(2).

Interface Features

Support for Pause Frames for Flow Control on 1-Gigabit Ethernet Interface

You can now enable pause (XOFF) frames for flow control on 1-Gigabit Ethernet interfaces; support was previously added for 10-Gigabit Ethernet interfaces in 8.2(2).

When multiple static routes exist to a network with different metrics, the ASA uses the one with the best metric at the time of connection creation. If a better route becomes available, then this timeout lets connections be closed so a connection can be reestablished to use the better route. The default is 0 (the connection never times out). To take advantage of this feature, change the timeout to a new value.

We modified the following command: timeout floating-conn.

Also available in Version 8.4(2).

New Features in Version 8.2(4.4)

Note We recommend that you upgrade to a Cisco.com-posted interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available. We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each interim release, see the Cisco ASA Interim Release Notes available on the Cisco.com software download site.

Table 7 New Features for ASA Version 8.2(4.4)

Feature

Description

Hardware Features

Support for the IPS SSP-10, -20, -40, and -60 for the ASA 5585-X

We introduced support for the IPS SSP-10, -20, -40, and -60 for the ASA 5585-X. You can only install the IPS SSP with a matching-level SSP; for example, SSP-10 and IPS SSP-10.

New Features in Version 8.2(4.1)

Note We recommend that you upgrade to a Cisco.com-posted interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available. We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each interim release, see the Cisco ASA Interim Release Notes available on the Cisco.com software download site.

Table 8 New Features for ASA Version 8.2(4.1)

Feature

Description

Remote Access Features

SSL SHA-2 digital signature

This release supports the use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5.1 or later (2.5.2 or later recommended). This release does not support SHA-2 for other uses or products. This feature does not involve configuration changes. Caution: To support failover of SHA-2 connections, the standby ASA must be running the same image. To support this feature, we added the Signature Algorithm field to the show crypto ca certificate command to identify the digest algorithm used when generating the signature.

New Features in Version 8.2(3.9)

Note We recommend that you upgrade to a Cisco.com-posted interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available. We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each interim release, see the Cisco ASA Interim Release Notes available on the Cisco.com software download site.

Table 10 New Features for ASA Version 8.2(3.9)

Feature

Description

Remote Access Features

SSL SHA-2 digital signature

This release supports the use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5.1 or later (2.5.2 or later recommended). This release does not support SHA-2 for other uses or products. This feature does not involve configuration changes. Caution: To support failover of SHA-2 connections, the standby ASA must be running the same image. To support this feature, we added the Signature Algorithm field to the show crypto ca certificate command to identify the digest algorithm used when generating the signature.

(ASA 5510, ASA 5520, ASA 5540, and ASA 5550 only) We strongly recommend that you enable hardware processing instead of software for large modulus operations such as 2048-bit certificates and DH5 keys. If you continue to use software processing for large keys, you could experience significant performance degradation due to slow session establishment for IPsec and SSL VPN connections. We recommend that you initially enable hardware processing during a low-use or maintenance period to minimize a temporary packet loss that can occur during the transition of processing from software to hardware.

Note For the ASA 5540 and ASA 5550 using SSL VPN, in specific load conditions, you may want to continue to use software processing for large keys. If VPN sessions are added very slowly and the ASA runs at capacity, then the negative impact to data throughput is larger than the positive impact for session establishment.

Note The ASA 5580/5585-X platforms already integrate this capability; therefore, crypto engine commands are not applicable on these platforms.

The following commands were introduced or modified: crypto engine large-mod-accel, clear configure crypto engine, show running-config crypto engine, and show running-config crypto.

Also available in Version 8.3(2).

Microsoft Internet Explorer proxy lockdown control

Enabling this feature hides the Connections tab in Microsoft Internet Explorer for the duration of an AnyConnect VPN session. Disabling the feature leaves the display of the Connections tab unchanged; the default setting for the tab can be shown or hidden, depending on the user registry settings.

The following command was introduced: msie-proxy lockdown.

Trusted Network Detection Pause and Resume

This feature enables the AnyConnect client to retain its session information and cookie so that it can seamlessly restore connectivity after the user leaves the office, as long as the session does not exceed the idle timer setting. This feature requires an AnyConnect release that supports TND pause and resume.

An administrator can now keep track of the number of users in the active state and can look at the statistics. The sessions that have been inactive for the longest time are marked as idle (and are automatically logged off) so that license capacity is not reached and new users can log in.

Also available in Version 8.0(5).

Application Inspection Features

Inspection for IP Options

You can now control which IP packets with specific IP options should be allowed through the ASA. You can also clear IP options from an IP packet, and then allow it through the ASA. Previously, all IP options were denied by default, except for some special cases.

Note This inspection is enabled by default. The following command is added to the default global service policy: inspect ip-options. Therefore, the ASA allows RSVP traffic that contains packets with the Router Alert option (option 20) when the ASA is in routed mode.

You can enable call setup between H.323 endpoints when the Gatekeeper is inside the network. The ASA includes options to open pinholes for calls based on the RegistrationRequest/RegistrationConfirm (RRQ/RCF) messages.

Because these RRQ/RCF messages are sent to and from the Gatekeeper, the calling endpoint IP address is unknown and the ASA opens a pinhole through source IP address/port 0/0. By default, this option is disabled.

In multiple context mode, auto-generated MAC addresses now use a user-configurable prefix, and other enhancements

The MAC address format was changed to allow use of a prefix, to use a fixed starting value (A2), and to use a different scheme for the primary and secondary unit MAC addresses in a failover pair.

The MAC addresess are also now persistent accross reloads.

The command parser now checks if auto-generation is enabled; if you want to also manually assign a MAC address, you cannot start the manual MAC address with A2.

The following command was modified: mac-address auto prefix prefix.

Also available in Version 8.0(5).

Support for Pause Frames for Flow Control on the ASA 5580 10 Gigabit Ethernet Interfaces

You can now enable pause (XOFF) frames for flow control.

The following command was introduced: flowcontrol.

Firewall Features

Botnet Traffic Filter Enhancements

The Botnet Traffic Filter now supports automatic blocking of blacklisted traffic based on the threat level. You can also view the category and threat level of malware sites in statistics and reports. Reporting was enhanced to show infected hosts. The 1 hour timeout for reports for top hosts was removed; there is now no timeout.

The following commands were introduced or modified: dynamic-filter ambiguous-is-black, dynamic-filter drop blacklist, show dynamic-filter statistics, show dynamic-filter reports infected-hosts, and show dynamic-filter reports top.

Connection timeouts for all protocols

The idle timeout was changed to apply to all protocols, not just TCP.

The following command was modified: set connection timeout.

Routing Features

DHCP RFC compatibility (rfc3011, rfc3527) to resolve routing issues

This enhancement introduces ASA support for DHCP RFCs 3011 (The IPv4 Subnet Selection Option) and 3527 (Link Selection Sub-option for the Relay Agent Information Option). For each DHCP server configured for VPN clients, you can now configure the ASA to send the Subnet Selection option or the Link Selection option.

The following command was modified: dhcp-server [ subnet-selection | link-selection].

Also available in Version 8.0(5).

High Availablility Features

IPv6 Support in Failover Configurations

IPv6 is now supported in failover configurations. You can assign active and standby IPv6 addresses to interfaces and use IPv6 addresses for the failover and Stateful Failover interfaces.

The following commands were modified: failover interface ip, ipv6 address.

No notifications when interfaces are brought up or brought down during a switchover event

To distinguish between link up/down transitions during normal operation from link up/down transitions during failover, no link up/link down traps are sent during a failover. Also, no syslog messages about link up/down transitions during failover are sent.

Also available in Version 8.0(5).

AAA Features

100 AAA Server Groups

You can now configure up to 100 AAA server groups; the previous limit was 15 server groups.

The following command was modified: aaa-server.

Monitoring Features

Smart Call Home

Smart Call Home offers proactive diagnostics and real-time alerts on the ASA and provides higher network availability and increased operational efficiency. Customers and TAC engineers get what they need to resolve problems quickly when an issue is detected.

Note Smart Call Home server Version 3.0(1) has limited support for the ASA. See the “Important Notes” for more information.

ASDM now supports administrator authentication using one time passwords (OTPs) supported by RSA SecurID (SDI). This feature addresses security concerns about administrators authenticating with static passwords.

New session controls for ASDM users include the ability to limit the session time and the idle time. When the password used by the ASDM administrator times out, ASDM prompts the administrator to re-authenticate.

The following commands were introduced: http server idle-timeout and http server session-timeout. The http server idle-timeout default is 20 minutes, and can be increased up to a maximum of 1440 minutes.

Pre-fill Username from Certificate

The pre-fill username feature enables the use of a username extracted from a certificate for username/password authentication. With this feature enabled, the username is “pre-filled” on the login screen, with the user being prompted only for the password. To use this feature, you must configure both the pre-fill username and the username-from-certificate commands in tunnel-group configuration mode.

The double-authentication feature is compatible with the pre-fill username feature, as the pre-fill username feature can support extracting a primary username and a secondary username from the certificate to serve as the usernames for double authentication when two usernames are required. When configuring the pre-fill username feature for double authentication, the administrator uses the following new tunnel-group general-attributes configuration mode commands:

secondary-username-from-certificate —Allows for extraction of a few standard DN fields from a certificate for use as a username.

Double Authentication

The double authentication feature implements two-factor authentication for remote access to the network, in accordance with the Payment Card Industry Standards Council Data Security Standard. This feature requires that the user enter two separate sets of login credentials at the login page. For example, the primary authentication might be a one-time password, and the secondary authentication might be a domain (Active Directory) credential. If either authentication fails, the connection is denied.

To configure AnyConnect Essentials, the administrator uses the following command:

anyconnect-essentials —Enables the AnyConnect Essentials feature. If this feature is disabled (using the no form of this command), the SSL Premium license is used. This feature is enabled by default.

Disabling Cisco Secure Desktop per Connection Profile

When enabled, Cisco Secure Desktop automatically runs on all computers that make SSL VPN connections to the ASA. This new feature lets you exempt certain users from running Cisco Secure Desktop on a per connection profile basis. It prevents the detection of endpoint attributes for these sessions, so you might need to adjust the Dynamic Access Policy (DAP) configuration.

CLI: [no] without-csd command

Certificate Authentication Per Connection Profile

Previous versions supported certificate authentication for each ASA interface, so users received certificate prompts even if they did not need a certificate. With this new feature, users receive a certificate prompt only if the connection profile configuration requires a certificate. This feature is automatic; the ssl certificate authentication command is no longer needed, but the ASA retains it for backward compatibility.

EKU Extensions for Certificate Mapping

This feature adds the ability to create certificate maps that look at the Extended Key Usage extension of a client certificate and use these values in determining what connection profile the client should use. If the client does not match that profile, it uses the default group. The outcome of the connection then depends on whether or not the certificate is valid and the authentication settings of the connection profile.

You can purchase a shared license with a large number of SSL VPN sessions and share the sessions as needed among a group of ASAs by configuring one of the ASAs as a shared license server, and the rest as clients. The following commands were introduced: license-server commands (various), show shared license.

Firewall Features

TCP state bypass

If you have asymmetric routing configured on upstream routers, and traffic alternates between two ASAs, then you can configure TCP state bypass for specific traffic. The following command was introduced: set connection advanced tcp-state-bypass.

Per-Interface IP Addresses for the Media-Termination Instance Used by the Phone Proxy

In Version 8.0(4), you configured a global media-termination address (MTA) on the ASA. In Version 8.2, you can now configure MTAs for individual interfaces (with a minimum of two MTAs). As a result of this enhancement, the old CLI has been deprecated. You can continue to use the old configuration if desired. However, if you need to change the configuration at all, only the new configuration method is accepted; you cannot later restore the old configuration.

Displaying the CTL File for the Phone Proxy

The Cisco Phone Proxy feature includes the show ctl-file command, which shows the contents of the CTL file used by the phone proxy. Using the show ctl-file command is useful for debugging when configuring the phone proxy instance.

This command is not supported in ASDM.

Clearing Secure-phone Entries from the Phone Proxy Database

The Cisco Phone Proxy feature includes the clear phone-proxy secure-phones command, which clears the secure-phone entries in the phone proxy database. Because secure IP phones always request a CTL file upon bootup, the phone proxy creates a database that marks the IP phones as secure. The entries in the secure phone database are removed after a specified configured timeout (via the timeout secure-phones command). Alternatively, you can use the clear phone-proxy secure-phones command to clear the phone proxy database without waiting for the configured timeout.

This command is not supported in ASDM.

H.239 Message Support in H.323 Application Inspection

In this release, the ASA supports the H.239 standard as part of H.323 application inspection. H.239 is a standard that provides the ability for H.300 series endpoints to open an additional video channel in a single call. In a call, an endpoint (such as a video phone), sends a channel for video and a channel for data presentation. The H.239 negotiation occurs on the H.245 channel. The ASA opens a pinhole for the additional media channel. The endpoints use open logical channel message (OLC) to signal a new channel creation. The message extension is part of H.245 version 13. The decoding and encoding of the telepresentation session is enabled by default. H.239 encoding and decoding is preformed by ASN.1 coder.

Processing H.323 Endpoints When the Endpoints Do Not Send OLCAck

H.323 application inspection has been enhanced to process common H.323 endpoints. The enhancement affects endpoints using the extendedVideoCapability OLC with the H.239 protocol identifier. Even when an H.323 endpoint does not send OLCAck after receiving an OLC message from a peer, the ASA propagates OLC media proposal information into the media array and opens a pinhole for the media channel (extendedVideoCapability).

IPv6 in transparent firewall mode

Transparent firewall mode now participates in IPv6 routing. Prior to this release, the ASA could not pass IPv6 traffic in transparent mode. You can now configure an IPv6 management address in transparent mode, create IPv6 access lists, and configure other IPv6 features; the ASA recognizes and passes IPv6 packets.

All IPv6 functionality is supported unless specifically noted.

Botnet Traffic Filter

Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses, and then logs any suspicious activity. You can also supplement the dynamic database with a static database by entering IP addresses or domain names in a local “blacklist” or “whitelist.”

Note This feature requires the Botnet Traffic Filter license. See the following licensing document for more information:

The following commands were introduced: dynamic-filter commands (various), and the inspect dns dynamic-filter-snoop keyword.

AIP SSC card for the ASA 5505

The AIP SSC offers IPS for the ASA 5505 ASA. Note that the AIP SSM does not support virtual sensors. The following commands were introduced: allow-ssc-mgmt, hw-module module ip, and hw-module module allow-ip.

IPv6 support for IPS

You can now send IPv6 traffic to the AIP SSM or SSC when your traffic class uses the match any command, and the policy map specifies the ips command.

Management Features

SNMP version 3 and encryption

This release provides DES, 3DES, or AES encryption and support for SNMP Version 3, the most secure form of the supported security models. This version allows you to configure authentication characteristics by using the User-based Security Model (USM).

The following commands were introduced:

show snmp engineid

show snmp group

show snmp-server group

show snmp-server user

snmp-server group

snmp-server user

The following command was modified:

snmp-server host

NetFlow

This feature was introduced in Version 8.1(1) for the ASA 5580; this version introduces the feature to the other platforms. The new NetFlow feature enhances the ASA logging capabilities by logging flow-based events through the NetFlow protocol.

Routing Features

Multicast NAT

The ASA now offers Multicast NAT support for group addresses.

Troubleshooting Features

Coredump functionality

A coredump is a snapshot of the running program when the program has terminated abnormally. Coredumps are used to diagnose or debug errors and save a crash for later or off-site analysis. Cisco TAC may request that users enable the coredump feature to troubleshoot application or system crashes on the ASA.

To enable coredump, use the coredump enable command.

Open Caveats

If you are running an older release, and you need to determine the open caveats for your release, then add the caveats in these sections to the resolved caveats from later releases. For example, if you are running Release 8.2(1), then you need to add the caveats in this section to the resolved caveats from 8.2(2) and above to determine the complete list of open caveats.

If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:

Resolved Caveats

Resolved Caveats in Version 8.2(5)

The caveats listed in Table 15 were resolved in software Version 8.2(5). If you are a registered Cisco.com user you can view more information about each caveat using the Bug Toolkit at the following website:

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.